It was discovered that implementation of Ruby Array's fill method is affected by a multiple integer overflows. Problem occurred in rb_ary_fill() function in array.c and could result in insufficient memory allocations resulting in a heap overflow. First patch to address integer overflow condition was added upstream (in 1.8.6 branch) in following commit: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13397 That change was insufficient and need to be replaced with following patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/array.c?r1=17475&r2=17759 This was applied in 1.8.6-p257: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17759
Issue was already addressed in Fedora packages in ruby-1.8.6.230-4.
Public now via: http://www.openwall.com/lists/oss-security/2008/07/02/3
ruby-1.8.6.230-4.fc8 has been submitted as an update for Fedora 8
ruby-1.8.6.230-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
ruby-1.8.6.230-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0561.html http://rhn.redhat.com/errata/RHSA-2008-0562.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6094 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6033